Re: CVE-2023-52437: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

On Wed, Feb 21, 2024 at 04:56:31PM +0100, Paolo Bonzini wrote:
> To recap:
> 
> - the CVE description comes from was upstream commit bed9e27baf52
> 
> - neither the CVE mitigation section nor the mentioned kernel releases
> fix the bug mentioned in the upstream commit, because the mitigation
> section also includes commits that _revert_ commit bed9e27baf52
> 
> - this second revert is not mentioned anywhere, so the CVE description
> is at best misleading; or perhaps more accurately described as
> "completely f***ed up".
> 
> I'm sure it's just a bug in the scripts, but it's worrisome that you
> don't acknowledge this.

Yes, this is a bug in the scripts, but it wasn't obvious what you were
objecting to here honestly.  Reverts were not anything I tested the
scripts with before now, and I'm sure there are going to be more cases
that fail in odd ways too.  We'll fix them when they show up, that's the
best we can do.

I'll look at it tomorrow and try to figure it out, if nothing else, I'll
just manually update the json record and push the update to cve.org as
that's the "canonical" record here.  The json files will be updated over
time as new releases happen and patches flow backwards, so they will be
updated, but for now, sending out new email messages all the time would
be a mess.

However in this case, I'll fix it up and send out a new announcement as
obviously it's wrong in places.

If you want to replace the wording in the description here with anything
else better, PLEASE let us know and we will be glad to do so.

That's the benifit of being a CNA, we can ACTUALLY MODIFY the CVE
records, previously it was almost impossible to ever do so.

thanks,

greg k-h